Question

Now let’s discuss how you can find faulty SAML implementations and use them to bypass your target’s SSO access controls. Before you dive in, be sure to confirm that the website is indeed using SAML. You can figure this out by intercepting the traffic used for authenticating to a site and looking for XML-like messages or the keyword saml . Note that SAML messages aren’t always passed in plain XML format. They might be encoded in base64 or other encoding schemes.

现在让我们讨论如何找到有缺陷的 SAML 实现，并使用它们绕过目标的 SSO 访问控制。在深入研究之前，请务必确认网站确实在使用 SAML。您可以通过拦截用于身份验证站点的流量，并查找类似于 XML 的消息或关键字 SAML 来弄清楚。请注意，SAML 消息并不总是以纯 XML 格式传递。它们可能会以 base64 或其他编码方案进行编码。

Step 1: Locate the SAML Response

First and foremost, you need to locate the SAML response. You can usually do this by intercepting the requests going between the browser and the service provider using a proxy. The SAML response will be sent when the user’s browser is logging into a new session for that particular service provider.

首先，您需要定位 SAML 响应。您通常可以通过使用代理截获浏览器和服务提供商之间的请求来完成此操作。当用户的浏览器登录该特定服务提供商的新会话时，将发送 SAML 响应。

Step 2: Analyze the Response Fields

Once you’ve located the SAML response, you can analyze its content to see which fields the service provider uses for determining the identity of the user. Since the SAML response is used to relay authentication data to the service provider, it must contain fields that communicate that information. For example, look for field names like username , email address , userID , and so on. Try tampering with these fields in your proxy. If the SAML message lacks a signature, or if the signature of the SAML response isn’t verified at all, tampering with the message is all you need to do to authenticate as someone else!

一旦找到了 SAML 响应，您可以分析其内容，看看服务提供商用于确定用户身份的哪些字段。由于 SAML 响应用于将认证数据传递给服务提供商，因此必须包含传达该信息的字段。例如，查找字段名称，例如用户名、电子邮件地址、用户 ID 等。尝试在代理中篡改这些字段。如果 SAML 消息缺少签名，或者根本不验证 SAML 响应的签名，则篡改消息就足以作为其他人进行认证！

Step 3: Bypass the Signature

If the SAML message you’re tampering with does have a signature, you can try a few strategies to bypass it.

如果你篡改的 SAML 消息具有签名，你可以尝试一些策略来绕过它。

If the signatures are verified only when they exist, you could try removing the signature value from the SAML response. Sometimes this is the only action required to bypass security checks. You can do this in two ways. First, you can empty the signature field:

如果只有存在签名时才会验证签名，您可以尝试从 SAML 响应中删除签名值。有时这是绕过安全检查所必需的唯一操作。您可以用两种方式来实现。首先，您可以清空签名字段：

<saml:Signature> 
      <saml:SignatureValue> 

      </saml:SignatureValue> 
    </saml:Signature> 
<saml:AttributeStatement>
  <saml:Attribute Name="username">
    <saml:AttributeValue>
      victim_user
    </saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

Or you can try removing the field entirely:

或者你可以尝试完全删除该字段：

<saml:AttributeStatement>
  <saml:Attribute Name="username">
    <saml:AttributeValue>
      victim_user
    </saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

If the SAML response signature used by the application is predictable, like the base64 example we discussed earlier, you can simply recalculate the signature and forge a valid SAML response.

如果应用程序使用的 SAML 响应签名是可预测的，就像我们之前讨论的 base64 示例一样，您可以简单地重新计算签名并伪造一个有效的 SAML 响应。

Step 4: Re-encode the Message

After tampering with the SAML response, re-encode the message into its original form and send it back to the service provider. The service provider will use that information to authenticate you to the service. If you’re successful, you can obtain a valid session that belongs to the victim’s account. SAML Raider is a Burp Suite extension that can help you with editing and re-encoding SAML messages.

篡改 SAML 响应后，重新编码消息并将其发送回服务提供商。服务提供商将使用该信息来对您进行身份验证。如果成功，则可以获得属于受害者帐户的有效会话。SAML Raider 是一个 Burp Suite 扩展，可以帮助您编辑和重新编码 SAML 消息。